{ config, pkgs, inputs, ... }:
let
  domain = "notbad.dynv6.net";
  email = "badya65@gmail.com";
  homepage.root = "/system/data/homepage";
  public = {
    alias = "/system/data/pub/";
    extraConfig = ''
      fancyindex on;
      fancyindex_exact_size on;
      directio 4M;
    '';
  };
in {
  roles.server = {
    inherit domain;
    forgejo.enable = true;
    miniflux = {
      enable = true;
      adminCredentialsFile = config.age.secrets.miniflux.path;
    };
    nginx.enable = true;
  };

  age.secrets = with inputs.self.modules; {
    dynv6.file = secrets.dynv6;
    miniflux.file = secrets.miniflux;
    nix-serve.file = secrets."nix.notbad.dynv6.net-1";
  };

  services.nix-serve = {
    enable = true;
    package = pkgs.nix-serve;
    secretKeyFile = config.age.secrets.nix-serve.path;
  };

  security.acme.certs.${domain} = {
    environmentFile = config.age.secrets.dynv6.path;
    domain = "*." + domain;
    dnsPropagationCheck = true;
    dnsProvider = "rfc2136";
    inherit email;
    extraDomainNames = [ domain ];
    inherit (config.security.acme.defaults) group;
  };

  services.nginx.virtualHosts = {
    ${domain} = {
      forceSSL = true;
      enableACME = true;
      acmeRoot = null;
      locations."/" = homepage;
      locations."/pub/" = public;
      extraConfig = ''
        add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
      '';
    };

    "nix.${domain}" = {
      forceSSL = true;
      useACMEHost = domain;
      locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
    };

    "*.${domain}" = {
      default = true;
      forceSSL = true;
      useACMEHost = domain;
      globalRedirect = domain;
    };
  };
}
